When you decide to start using a cloud storage or online backup provider, you may have some worries about security: we’ve all seen the sensational headlines about starlets having naked pictures of themselves stolen from their online accounts. The power that the U.S. Senate has recently granted to ISPs may also inspire worry.
However, with proper security measures, your stored files can be just as safe in the cloud as they are on your laptop — if not safer. In this article we’ll talk a little about the most common ways cloud services protect your data.
With cloud storage, you don’t have to worry about the physical security of your data: even if your laptop or tablet gets stolen, you won’t have lost your documents and images. Most cloud storage breaches were actually facilitated by users who gave away their passwords, often as the victims of phishing. If this is a particular worry of yours, we recommend our guide on setting up a strong password.
Your introduction to the world of cloud storage is likely to be through the services of Dropbox, Google Drive or OneDrive. These services are backed by big corporations that can offer storage space free of charge.
The slick advertising of these big businesses mean that they manage to grab the attention of many potential cloud storage customers. However, thanks to the security blunders of these major players, specialist providers have found opening in the market. Good examples are Sync.com for storage and Carbonite for backup. Cloudwards.net also has a list of secure Dropbox alternatives.
Let’s take a look at some of the most common terms you’ll see when shopping for a cloud storage or backup provider.
HTTPS stands for Hypertext Transfer Protocol Secure. HTTP (without the “secure”) is a standard of messaging that all Web servers use to transfer Web pages to browsers. HTTPS adds a layer of security to these procedures and it is the bedrock of ecommerce.
You will see “https://” at the beginning of some addresses in the bar at the top of your browser. That means the Web page that you are looking at was transferred to your computer with the secured version of HTTP. You don’t need to worry too much about the security behind HTTPS; it’s the system that protects your credit card details when you pay for things online.
SSL and TLS
SSL means Secure Socket Layer and this protocol contains the procedures that put the “S” in HTTPS. In 2008, after running for a while, SSL was discovered to have some security weaknesses.
The protocol was open to “spoofing,” which means that hackers were able to forge the security certificates that formed the heart of the SSL verification system. These certificates contain the encryption key that the client is supposed to use in order to secure connections. Soon after, Transport Layer Security (TLS) protocol was designed to replace SSL.
Further weaknesses were discovered over the years and they caused the International Engineering Taskforce to “deprecate” the protocol in 2015, which effectively told everyone not to use SSL for security. Although no one implements SSL any more, the term is still often used: in reality, services that say they use SSL actually use TLS.
Although banks used to rely on HTTPS for security when they provide online banking, most have kicked their privacy features up a notch with two-factor authentication, which you often will see written as 2FA.
As with most logins, you need a username and a password, but 2FA requires some other method of identification on top of that. This should be something that only the user has and it can be a physical possession, or a secret piece of information. Some banks give clients a special card reader which generates a second pass code, while others will send you an access code by SMS.
iCloud uses a keychain device that generates a code. However, that keychain fob quickly disappeared when Apple integrated 2FA code generation into their standard products.
The Advanced Encryption Standard (AES)
The U.S. National Institute of Standards and Technology commissioned the creation of the Advanced Encryption Standard, or AES, to create a secure method of encryption that could be used by government agencies.
The encryption process involves transforming blocks of numbers by organizing them into a series of grids and then adjusting each number in the grid by applying a cryptographic key. The specifications for AES allows for different lengths of encryption keys. The shortest key used for encryption is 128 bits long and is often used for encryption on mobile devices. The most common length of key for cloud storage data encryption is 256 bits.
The length of the encryption key is important because the specifications of AES are publicly available. That means that anyone who knows the formula could crack the encryption simply by guessing the key.
You may remember some TV cybercrime thriller where the hackers use a computer program that whizzes through a series of numbers until it hits the right key, flashes, goes beep, and then one of the young hackers says, “We’re in.” Thanks to 256-bit encryption keys, that scene would end up being really long and boring.
There are 1.1 X 1077 possible key combinations. It would take 3.31 X 1056 years to guess right. To write that number out in full, you would have 33,100 followed by 53 more zeros. To make decryption even more time consuming, the AES encryption method transforms each grid of numbers 14 times over.
The AES system is so reliable that it has become the touchstone for security all over the Internet. However, thanks to the revelations of Edward Snowden and other leaks regarding the NSA tampering with encryption systems, some worry that even AES may not be completely secure.
If you just keep pictures of yourself on the beach in Cancun on your cloud account, then you should be more worried about TMZ getting them — especially if you are Jennifer Lawrence. For most people AES provides ample security.
Those who worry about an encryption system that was created for the U.S. government should look out for cloud storage systems that use the Blowfish security standard. This is older that AES and it had never been cracked until 2016 when the Sweet32 birthday attack was created. Even now, Blowfish is still thought to provide strong enough security for files smaller than 4GB.
The encryption system specification was published in 1993. As with AES, the definition allows for a range of key lengths, which each developer can choose from. The key specs range from 32 bits to 448 bits in length. As with AES, the longer the key, the stronger the security, so check out this stat when selecting a cloud storage provider, like CrashPlan, that uses Blowfish.
Both AES and Blowfish are symmetrical key systems. That means that the cipher used to encrypt the data is also needed to decrypt it. You may already have thought of a flaw with these methods when used for communicating data. How do both sides in a connection get the same key? If one sends the common key to the other, then that message cannot be encrypted because until it has the key, the corresponding computer would not be able to decrypt it.
The answer to this problem lies with asymmetric key systems, such as RSA. These encryption methods are also known as “public key.” The key that decrypts the protected message is not the same as the one that encrypts it.
It does not matter if a hacker gets hold of the encrypting key because all she will be able to do with it is encrypt messages that only the holder of the corresponding private key could ever decrypt. You cannot derive the private decryption key from the public encryption key.
RSA is named after its creators — Rivest, Shamir and Adelman. Most Internet encryption systems use a public key system to distribute the encryption ciphers needed for symmetric key systems, such as AES and Blowfish. RSA is the most frequently used private key system used for key exchange and it is used for key distribution in TLS methods, including HTTPS.
RSA has a 1,024-bit key, which is four times longer than the most commonly used AES key length of 256 bits and eight times longer than the minimum-length AES key of 128 bits.
Perfect Forward Secrecy
Internet-based encryption systems rely on client software that communicates with the server. The server is the remote computer that holds the files — the cloud storage facility. The client is at the other end of the connection. In the case of your access to cloud storage, the client is your computer.
When you sign up for a service such as Dropbox, the first thing that will happen is that the website will download an installer file for you to run. This installs the client software. Some Internet security systems will include the key for communication with the server in this download.
A potential problem with keys that are reused is that once someone learns that key, they can decrypt all the communications that your computer has with the server and get access to your private files. Perfect Forward Secrecy (PFS) is a methodology by which a new encryption key is used for each session.
If anyone out there has a system to snoop on your connection and capture the encryption key, they would be wasting their efforts because the next time you connect they would have to start their tasks all over again to get the new key.
Perfect Forward Secrecy adds an extra layer of protection to your privacy because it limits the amount of disclosure that any single security breach can deliver.
The specialist storage providers now operate zero-knowledge encryption. You may search the Web and discover information on the Zero Knowledge Protocol. That is something else: zero knowledge encryption simply means that all of the encryption of your files takes place on your computer before they are uploaded to the cloud.
The client software uses a separate process to scramble the files using a key that is resident on your computer. Files are then transferred using a standard method, such as TLS.
The employees of a zero-knowledge provider can never get to the raw files, only the encrypted version. As they also could not get access to the key, you are better off with zero-knowledge encryption than with ciphers that are applied during the transfer or when the files reach the server.
Further Security Measures
Zero-knowledge encryption is still not good enough for some. The security-conscious argue that the encryption software and keys all originate from the cloud storage provider, so there is still one central location that is vulnerable to attack.
If anyone wanted to get into all the files on a server that operates a zero-knowledge system, they would just need to hijack the key distribution stage.
If the software on your computer uses an encryption key that the hacker knows, then it really doesn’t matter where the encryption takes place, he can still get access to all the files on that cloud storage server.
If you install encryption software from another company on your computer, you increase your privacy. You can encrypt all of your files manually and then let the cloud storage client software re-encrypt and transfer the data. That way, if some miscreant has got into the cloud storage server’s encryption system, all she can do is decrypt a file to reveal another layer of encryption beneath.
Cracking a security system like that would entail breaking into every encryption software company in the world and manipulating their key distribution procedures. No one has the resources to achieve such a feat.
The degree of privacy that you need for your files greatly depends on the type of information you are storing. There is a wide range of cloud storage options out there and they vary from consumer-friendly free services, such as Dropbox, through to business systems that even the NSA could not crack.
Combining services can give you stronger security. Encrypting your files with completely separate software before you move them anywhere can give you the strongest possible levels of security.
Now you understand the terminology and issues behind security measures, you are better equipped to find the best cloud service to fit your needs. What security measures do you take? Let us know in the comments below, thank you for reading.